iptables-1.8.7-12.el9
- arptables-nft-helper: Remove bashisms - ebtables-helper: Drop unused variable, add a missing quote - extensions: libxt_string: Avoid buffer size warning for strncpy() - libxtables: Introduce xtables_strdup() and use it everywhere - extensions: libebt_ip6: Use xtables_ip6parse_any() - iptables-apply: Drop unused variable - nft: Avoid buffer size warnings copying iface names - nft: Avoid memleak in error path of nft_cmd_new() - libxtables: Fix memleak in xtopt_parse_hostmask() - extensions: libebt_ip6: Drop unused variables - libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() Resolves: RHBZ#1938745
This commit is contained in:
parent
c842cc8e23
commit
18fd73d348
@ -0,0 +1,33 @@
|
|||||||
|
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri, 13 Nov 2020 21:04:39 +0100
|
||||||
|
Subject: [PATCH] libxtables: Drop leftover variable in
|
||||||
|
xtables_numeric_to_ip6addr()
|
||||||
|
|
||||||
|
Variable 'err' was only used in removed debug code, so drop it as well.
|
||||||
|
|
||||||
|
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
|
||||||
|
---
|
||||||
|
libxtables/xtables.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||||
|
index bc42ba8221f3a..6947441fec659 100644
|
||||||
|
--- a/libxtables/xtables.c
|
||||||
|
+++ b/libxtables/xtables.c
|
||||||
|
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
|
||||||
|
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
|
||||||
|
{
|
||||||
|
static struct in6_addr ap;
|
||||||
|
- int err;
|
||||||
|
|
||||||
|
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
|
||||||
|
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||||
|
return ≈
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
49
0006-extensions-libebt_ip6-Drop-unused-variables.patch
Normal file
49
0006-extensions-libebt_ip6-Drop-unused-variables.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri, 13 Nov 2020 21:13:50 +0100
|
||||||
|
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
|
||||||
|
|
||||||
|
They are being assigned to but never read.
|
||||||
|
|
||||||
|
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
|
||||||
|
---
|
||||||
|
extensions/libebt_ip6.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||||
|
index b8a5a5d8c3a92..301bed9aadefd 100644
|
||||||
|
--- a/extensions/libebt_ip6.c
|
||||||
|
+++ b/extensions/libebt_ip6.c
|
||||||
|
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
|
||||||
|
static struct in6_addr *numeric_to_addr(const char *num)
|
||||||
|
{
|
||||||
|
static struct in6_addr ap;
|
||||||
|
- int err;
|
||||||
|
|
||||||
|
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
|
||||||
|
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||||
|
return ≈
|
||||||
|
return (struct in6_addr *)NULL;
|
||||||
|
}
|
||||||
|
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||||
|
char buf[256];
|
||||||
|
char *p;
|
||||||
|
int i;
|
||||||
|
- int err;
|
||||||
|
|
||||||
|
strncpy(buf, address, sizeof(buf) - 1);
|
||||||
|
/* first the mask */
|
||||||
|
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||||
|
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||||
|
strcpy(buf, "::");
|
||||||
|
|
||||||
|
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
|
||||||
|
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||||
|
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
29
0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
Normal file
29
0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 11:04:30 +0200
|
||||||
|
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
|
||||||
|
|
||||||
|
The allocated hostmask duplicate needs to be freed again.
|
||||||
|
|
||||||
|
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
|
||||||
|
---
|
||||||
|
libxtables/xtoptions.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||||
|
index d329f2ff7979e..0dcdf607f4678 100644
|
||||||
|
--- a/libxtables/xtoptions.c
|
||||||
|
+++ b/libxtables/xtoptions.c
|
||||||
|
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||||
|
cb->arg = p;
|
||||||
|
xtopt_parse_plenmask(cb);
|
||||||
|
cb->arg = orig_arg;
|
||||||
|
+ free(work);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xtopt_parse_ethermac(struct xt_option_call *cb)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
34
0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
Normal file
34
0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 11:55:20 +0200
|
||||||
|
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
|
||||||
|
|
||||||
|
If rule allocation fails, free the allocated 'cmd' before returning to
|
||||||
|
caller.
|
||||||
|
|
||||||
|
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
|
||||||
|
---
|
||||||
|
iptables/nft-cmd.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||||
|
index 5d33f1f00f574..9b0c964847615 100644
|
||||||
|
--- a/iptables/nft-cmd.c
|
||||||
|
+++ b/iptables/nft-cmd.c
|
||||||
|
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||||
|
|
||||||
|
if (state) {
|
||||||
|
rule = nft_rule_new(h, chain, table, state);
|
||||||
|
- if (!rule)
|
||||||
|
+ if (!rule) {
|
||||||
|
+ nft_cmd_free(cmd);
|
||||||
|
return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
cmd->obj.rule = rule;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,56 @@
|
|||||||
|
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 11:58:06 +0200
|
||||||
|
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
|
||||||
|
|
||||||
|
The call to strncpy() is actually not needed: source buffer is only
|
||||||
|
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
|
||||||
|
avoid compiler warnings due to size parameter matching the destination
|
||||||
|
buffer size by performing the copy using (dumb) memcpy() instead.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
|
||||||
|
---
|
||||||
|
iptables/nft-ipv4.c | 4 ++--
|
||||||
|
iptables/nft-ipv6.c | 4 ++--
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||||
|
index a5b835b1f681d..34f94bd8cc24a 100644
|
||||||
|
--- a/iptables/nft-ipv4.c
|
||||||
|
+++ b/iptables/nft-ipv4.c
|
||||||
|
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
|
||||||
|
*/
|
||||||
|
cs->fw.ip.invflags = args->invflags;
|
||||||
|
|
||||||
|
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||||
|
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||||
|
memcpy(cs->fw.ip.iniface_mask,
|
||||||
|
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||||
|
|
||||||
|
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||||
|
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||||
|
memcpy(cs->fw.ip.outiface_mask,
|
||||||
|
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||||
|
|
||||||
|
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||||
|
index 46008fc5e762a..d9c9400ad7dc3 100644
|
||||||
|
--- a/iptables/nft-ipv6.c
|
||||||
|
+++ b/iptables/nft-ipv6.c
|
||||||
|
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
|
||||||
|
*/
|
||||||
|
cs->fw6.ipv6.invflags = args->invflags;
|
||||||
|
|
||||||
|
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||||
|
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||||
|
memcpy(cs->fw6.ipv6.iniface_mask,
|
||||||
|
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||||
|
|
||||||
|
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||||
|
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||||
|
memcpy(cs->fw6.ipv6.outiface_mask,
|
||||||
|
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
29
0010-iptables-apply-Drop-unused-variable.patch
Normal file
29
0010-iptables-apply-Drop-unused-variable.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 12:50:57 +0200
|
||||||
|
Subject: [PATCH] iptables-apply: Drop unused variable
|
||||||
|
|
||||||
|
It was assigned to but never read.
|
||||||
|
|
||||||
|
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
|
||||||
|
---
|
||||||
|
iptables/iptables-apply | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
|
||||||
|
index 4683b1b402d08..3a7df5e3cbc1f 100755
|
||||||
|
--- a/iptables/iptables-apply
|
||||||
|
+++ b/iptables/iptables-apply
|
||||||
|
@@ -231,7 +231,6 @@ case "$MODE" in
|
||||||
|
"$RUNCMD" &
|
||||||
|
CMD_PID=$!
|
||||||
|
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
|
||||||
|
- CMDTIMEOUT_PID=$!
|
||||||
|
if ! wait "$CMD_PID"; then
|
||||||
|
echo "failed."
|
||||||
|
echo "Error: unknown error running command: $RUNCMD" >&2
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
109
0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
Normal file
109
0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 14:04:43 +0200
|
||||||
|
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
|
||||||
|
|
||||||
|
The code was almost identical and suffered from the same problem as
|
||||||
|
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
|
||||||
|
corruption bugs").
|
||||||
|
|
||||||
|
The only functional change this involves is ebt_parse_ip6_address() will
|
||||||
|
now accept hostnames as well.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
|
||||||
|
---
|
||||||
|
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
|
||||||
|
1 file changed, 10 insertions(+), 64 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||||
|
index 301bed9aadefd..3cc39271d4658 100644
|
||||||
|
--- a/extensions/libebt_ip6.c
|
||||||
|
+++ b/extensions/libebt_ip6.c
|
||||||
|
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
|
||||||
|
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
|
||||||
|
}
|
||||||
|
|
||||||
|
-static struct in6_addr *numeric_to_addr(const char *num)
|
||||||
|
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
|
||||||
|
+static void ebt_parse_ip6_address(char *address,
|
||||||
|
+ struct in6_addr *addr, struct in6_addr *msk)
|
||||||
|
{
|
||||||
|
- static struct in6_addr ap;
|
||||||
|
-
|
||||||
|
- if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||||
|
- return ≈
|
||||||
|
- return (struct in6_addr *)NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static struct in6_addr *parse_ip6_mask(char *mask)
|
||||||
|
-{
|
||||||
|
- static struct in6_addr maskaddr;
|
||||||
|
struct in6_addr *addrp;
|
||||||
|
- unsigned int bits;
|
||||||
|
-
|
||||||
|
- if (mask == NULL) {
|
||||||
|
- /* no mask at all defaults to 128 bits */
|
||||||
|
- memset(&maskaddr, 0xff, sizeof maskaddr);
|
||||||
|
- return &maskaddr;
|
||||||
|
- }
|
||||||
|
- if ((addrp = numeric_to_addr(mask)) != NULL)
|
||||||
|
- return addrp;
|
||||||
|
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
|
||||||
|
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
|
||||||
|
- if (bits != 0) {
|
||||||
|
- char *p = (char *)&maskaddr;
|
||||||
|
- memset(p, 0xff, bits / 8);
|
||||||
|
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
|
||||||
|
- p[bits / 8] = 0xff << (8 - (bits & 7));
|
||||||
|
- return &maskaddr;
|
||||||
|
- }
|
||||||
|
+ unsigned int naddrs;
|
||||||
|
|
||||||
|
- memset(&maskaddr, 0, sizeof maskaddr);
|
||||||
|
- return &maskaddr;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
|
||||||
|
- * The string pointed to by address can be altered. */
|
||||||
|
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
|
||||||
|
-{
|
||||||
|
- struct in6_addr *tmp_addr;
|
||||||
|
- char buf[256];
|
||||||
|
- char *p;
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- strncpy(buf, address, sizeof(buf) - 1);
|
||||||
|
- /* first the mask */
|
||||||
|
- buf[sizeof(buf) - 1] = '\0';
|
||||||
|
- if ((p = strrchr(buf, '/')) != NULL) {
|
||||||
|
- *p = '\0';
|
||||||
|
- tmp_addr = parse_ip6_mask(p + 1);
|
||||||
|
- } else
|
||||||
|
- tmp_addr = parse_ip6_mask(NULL);
|
||||||
|
-
|
||||||
|
- *msk = *tmp_addr;
|
||||||
|
-
|
||||||
|
- /* if a null mask is given, the name is ignored, like in "any/0" */
|
||||||
|
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||||
|
- strcpy(buf, "::");
|
||||||
|
-
|
||||||
|
- if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||||
|
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- for (i = 0; i < 4; i++)
|
||||||
|
- addr->s6_addr32[i] &= msk->s6_addr32[i];
|
||||||
|
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
|
||||||
|
+ if (naddrs != 1)
|
||||||
|
+ xtables_error(PARAMETER_PROBLEM,
|
||||||
|
+ "Invalid IPv6 Address '%s' specified", address);
|
||||||
|
+ memcpy(addr, addrp, sizeof(*addr));
|
||||||
|
+ free(addrp);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define OPT_SOURCE 0x01
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
554
0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
Normal file
554
0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
Normal file
@ -0,0 +1,554 @@
|
|||||||
|
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 12:56:06 +0200
|
||||||
|
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
|
||||||
|
|
||||||
|
This wraps strdup(), checking for errors.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
|
||||||
|
---
|
||||||
|
extensions/libebt_ip.c | 3 ++-
|
||||||
|
extensions/libebt_ip6.c | 2 +-
|
||||||
|
extensions/libebt_stp.c | 3 ++-
|
||||||
|
extensions/libip6t_DNAT.c | 4 +---
|
||||||
|
extensions/libip6t_SNAT.c | 4 +---
|
||||||
|
extensions/libip6t_dst.c | 8 +++-----
|
||||||
|
extensions/libip6t_hbh.c | 7 +++----
|
||||||
|
extensions/libip6t_ipv6header.c | 2 +-
|
||||||
|
extensions/libip6t_mh.c | 2 +-
|
||||||
|
extensions/libip6t_rt.c | 7 +++----
|
||||||
|
extensions/libipt_DNAT.c | 8 ++------
|
||||||
|
extensions/libipt_SNAT.c | 4 +---
|
||||||
|
extensions/libxt_dccp.c | 2 +-
|
||||||
|
extensions/libxt_hashlimit.c | 5 +----
|
||||||
|
extensions/libxt_iprange.c | 4 +---
|
||||||
|
extensions/libxt_multiport.c | 6 ++----
|
||||||
|
extensions/libxt_sctp.c | 4 ++--
|
||||||
|
extensions/libxt_set.h | 4 ++--
|
||||||
|
extensions/libxt_tcp.c | 4 ++--
|
||||||
|
include/xtables.h | 1 +
|
||||||
|
iptables/iptables-xml.c | 4 ++--
|
||||||
|
iptables/nft-cache.c | 4 ++--
|
||||||
|
iptables/nft-cmd.c | 13 +++++++------
|
||||||
|
iptables/xshared.c | 2 +-
|
||||||
|
libxtables/xtables.c | 12 ++++++++++++
|
||||||
|
libxtables/xtoptions.c | 14 +++-----------
|
||||||
|
26 files changed, 60 insertions(+), 73 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
|
||||||
|
index acb9bfcdbbd9f..51649ffb3c305 100644
|
||||||
|
--- a/extensions/libebt_ip.c
|
||||||
|
+++ b/extensions/libebt_ip.c
|
||||||
|
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||||
|
char *buffer;
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
+
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL)
|
||||||
|
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||||
|
else {
|
||||||
|
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||||
|
index 3cc39271d4658..a686a285c3cb8 100644
|
||||||
|
--- a/extensions/libebt_ip6.c
|
||||||
|
+++ b/extensions/libebt_ip6.c
|
||||||
|
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||||
|
char *buffer;
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL)
|
||||||
|
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||||
|
else {
|
||||||
|
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
|
||||||
|
index 81ba572c33c1a..3e9e24474eb61 100644
|
||||||
|
--- a/extensions/libebt_stp.c
|
||||||
|
+++ b/extensions/libebt_stp.c
|
||||||
|
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
|
||||||
|
uint32_t low_nr, upp_nr;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
+
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||||
|
low_nr = strtoul(buffer, &end, 10);
|
||||||
|
if (*end || low_nr < min || low_nr > max) {
|
||||||
|
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
|
||||||
|
index 89c5ceb153250..f1ad81436316b 100644
|
||||||
|
--- a/extensions/libip6t_DNAT.c
|
||||||
|
+++ b/extensions/libip6t_DNAT.c
|
||||||
|
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
|
||||||
|
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||||
|
const struct in6_addr *ip;
|
||||||
|
|
||||||
|
- arg = strdup(orig_arg);
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ arg = xtables_strdup(orig_arg);
|
||||||
|
|
||||||
|
start = strchr(arg, '[');
|
||||||
|
if (start == NULL) {
|
||||||
|
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
|
||||||
|
index 7d74b3d76a93c..6d19614c7c708 100644
|
||||||
|
--- a/extensions/libip6t_SNAT.c
|
||||||
|
+++ b/extensions/libip6t_SNAT.c
|
||||||
|
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
|
||||||
|
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||||
|
const struct in6_addr *ip;
|
||||||
|
|
||||||
|
- arg = strdup(orig_arg);
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ arg = xtables_strdup(orig_arg);
|
||||||
|
|
||||||
|
start = strchr(arg, '[');
|
||||||
|
if (start == NULL) {
|
||||||
|
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
|
||||||
|
index fe7e3403468ce..bf0e3e436665d 100644
|
||||||
|
--- a/extensions/libip6t_dst.c
|
||||||
|
+++ b/extensions/libip6t_dst.c
|
||||||
|
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||||
|
{
|
||||||
|
char *buffer, *cp, *next, *range;
|
||||||
|
unsigned int i;
|
||||||
|
-
|
||||||
|
- buffer = strdup(optsstr);
|
||||||
|
- if (!buffer)
|
||||||
|
- xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ buffer = xtables_strdup(optsstr);
|
||||||
|
+
|
||||||
|
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
|
||||||
|
{
|
||||||
|
next = strchr(cp, ',');
|
||||||
|
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
|
||||||
|
index 4cebecfd3d2f5..74e87cda7eea1 100644
|
||||||
|
--- a/extensions/libip6t_hbh.c
|
||||||
|
+++ b/extensions/libip6t_hbh.c
|
||||||
|
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||||
|
{
|
||||||
|
char *buffer, *cp, *next, *range;
|
||||||
|
unsigned int i;
|
||||||
|
-
|
||||||
|
- buffer = strdup(optsstr);
|
||||||
|
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ buffer = xtables_strdup(optsstr);
|
||||||
|
+
|
||||||
|
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
|
||||||
|
{
|
||||||
|
next=strchr(cp, ',');
|
||||||
|
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
|
||||||
|
index 6f03087bb79d8..9e34562966f8b 100644
|
||||||
|
--- a/extensions/libip6t_ipv6header.c
|
||||||
|
+++ b/extensions/libip6t_ipv6header.c
|
||||||
|
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
|
||||||
|
char *ptr;
|
||||||
|
char *buffer;
|
||||||
|
|
||||||
|
- buffer = strdup(flags);
|
||||||
|
+ buffer = xtables_strdup(flags);
|
||||||
|
|
||||||
|
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
|
||||||
|
ret |= add_proto_to_mask(name_to_proto(ptr));
|
||||||
|
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
|
||||||
|
index f4c0fd9fc0bca..64675405ac724 100644
|
||||||
|
--- a/extensions/libip6t_mh.c
|
||||||
|
+++ b/extensions/libip6t_mh.c
|
||||||
|
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
|
||||||
|
char *buffer;
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
- buffer = strdup(mhtype);
|
||||||
|
+ buffer = xtables_strdup(mhtype);
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL)
|
||||||
|
types[0] = types[1] = name_to_type(buffer);
|
||||||
|
else {
|
||||||
|
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
|
||||||
|
index 3cb3b249d8995..9708b5a0c42f3 100644
|
||||||
|
--- a/extensions/libip6t_rt.c
|
||||||
|
+++ b/extensions/libip6t_rt.c
|
||||||
|
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
|
||||||
|
{
|
||||||
|
char *buffer, *cp, *next;
|
||||||
|
unsigned int i;
|
||||||
|
-
|
||||||
|
- buffer = strdup(addrstr);
|
||||||
|
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ buffer = xtables_strdup(addrstr);
|
||||||
|
+
|
||||||
|
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
|
||||||
|
{
|
||||||
|
next=strchr(cp, ',');
|
||||||
|
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
|
||||||
|
index 4907a2e83d066..5b33fd23f6e36 100644
|
||||||
|
--- a/extensions/libipt_DNAT.c
|
||||||
|
+++ b/extensions/libipt_DNAT.c
|
||||||
|
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||||
|
char *arg, *colon, *dash, *error;
|
||||||
|
const struct in_addr *ip;
|
||||||
|
|
||||||
|
- arg = strdup(orig_arg);
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ arg = xtables_strdup(orig_arg);
|
||||||
|
memset(&range, 0, sizeof(range));
|
||||||
|
colon = strchr(arg, ':');
|
||||||
|
|
||||||
|
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
|
||||||
|
char *arg, *colon, *dash, *error;
|
||||||
|
const struct in_addr *ip;
|
||||||
|
|
||||||
|
- arg = strdup(orig_arg);
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ arg = xtables_strdup(orig_arg);
|
||||||
|
|
||||||
|
colon = strchr(arg, ':');
|
||||||
|
if (colon) {
|
||||||
|
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
|
||||||
|
index e92d811c2bc93..c655439ec9192 100644
|
||||||
|
--- a/extensions/libipt_SNAT.c
|
||||||
|
+++ b/extensions/libipt_SNAT.c
|
||||||
|
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||||
|
char *arg, *colon, *dash, *error;
|
||||||
|
const struct in_addr *ip;
|
||||||
|
|
||||||
|
- arg = strdup(orig_arg);
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ arg = xtables_strdup(orig_arg);
|
||||||
|
memset(&range, 0, sizeof(range));
|
||||||
|
colon = strchr(arg, ':');
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
|
||||||
|
index aea3e20be4818..abd420fcc0032 100644
|
||||||
|
--- a/extensions/libxt_dccp.c
|
||||||
|
+++ b/extensions/libxt_dccp.c
|
||||||
|
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
|
||||||
|
uint16_t typemask = 0;
|
||||||
|
char *ptr, *buffer;
|
||||||
|
|
||||||
|
- buffer = strdup(typestring);
|
||||||
|
+ buffer = xtables_strdup(typestring);
|
||||||
|
|
||||||
|
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||||
|
unsigned int i;
|
||||||
|
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
|
||||||
|
index 7f1d2a402c4fd..3f3c43010ee2a 100644
|
||||||
|
--- a/extensions/libxt_hashlimit.c
|
||||||
|
+++ b/extensions/libxt_hashlimit.c
|
||||||
|
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
|
||||||
|
static int parse_mode(uint32_t *mode, const char *option_arg)
|
||||||
|
{
|
||||||
|
char *tok;
|
||||||
|
- char *arg = strdup(option_arg);
|
||||||
|
-
|
||||||
|
- if (!arg)
|
||||||
|
- return -1;
|
||||||
|
+ char *arg = xtables_strdup(option_arg);
|
||||||
|
|
||||||
|
for (tok = strtok(arg, ",|");
|
||||||
|
tok;
|
||||||
|
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
|
||||||
|
index 8be2481497b8d..04ce7b364f1c6 100644
|
||||||
|
--- a/extensions/libxt_iprange.c
|
||||||
|
+++ b/extensions/libxt_iprange.c
|
||||||
|
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
|
||||||
|
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
|
||||||
|
uint8_t family, const char *optname)
|
||||||
|
{
|
||||||
|
- char *arg = strdup(oarg);
|
||||||
|
+ char *arg = xtables_strdup(oarg);
|
||||||
|
char *dash;
|
||||||
|
|
||||||
|
- if (arg == NULL)
|
||||||
|
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||||
|
dash = strchr(arg, '-');
|
||||||
|
if (dash == NULL) {
|
||||||
|
iprange_parse_spec(arg, arg, range, family, optname);
|
||||||
|
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
|
||||||
|
index 07ad4cfd4e519..4a42fa38238b9 100644
|
||||||
|
--- a/extensions/libxt_multiport.c
|
||||||
|
+++ b/extensions/libxt_multiport.c
|
||||||
|
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
|
||||||
|
char *buffer, *cp, *next;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
|
||||||
|
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
|
||||||
|
{
|
||||||
|
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
|
||||||
|
char *buffer, *cp, *next, *range;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
|
||||||
|
for (i=0; i<XT_MULTI_PORTS; i++)
|
||||||
|
multiinfo->pflags[i] = 0;
|
||||||
|
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||||
|
index 140de2653b1ef..59b34684cc7f7 100644
|
||||||
|
--- a/extensions/libxt_sctp.c
|
||||||
|
+++ b/extensions/libxt_sctp.c
|
||||||
|
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
|
||||||
|
char *buffer;
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
DEBUGP("%s\n", portstring);
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||||
|
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
|
||||||
|
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
|
||||||
|
int found = 0;
|
||||||
|
char *chunk_flags;
|
||||||
|
|
||||||
|
- buffer = strdup(chunks);
|
||||||
|
+ buffer = xtables_strdup(chunks);
|
||||||
|
DEBUGP("Buffer: %s\n", buffer);
|
||||||
|
|
||||||
|
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
|
||||||
|
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
|
||||||
|
index 41dfbd30fc7c1..ad895a7504d9d 100644
|
||||||
|
--- a/extensions/libxt_set.h
|
||||||
|
+++ b/extensions/libxt_set.h
|
||||||
|
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
|
||||||
|
static void
|
||||||
|
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||||
|
{
|
||||||
|
- char *saved = strdup(opt_arg);
|
||||||
|
+ char *saved = xtables_strdup(opt_arg);
|
||||||
|
char *ptr, *tmp = saved;
|
||||||
|
int i = 0;
|
||||||
|
|
||||||
|
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||||
|
static void
|
||||||
|
parse_dirs(const char *opt_arg, struct xt_set_info *info)
|
||||||
|
{
|
||||||
|
- char *saved = strdup(opt_arg);
|
||||||
|
+ char *saved = xtables_strdup(opt_arg);
|
||||||
|
char *ptr, *tmp = saved;
|
||||||
|
|
||||||
|
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
|
||||||
|
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
|
||||||
|
index 58f3c0a0c3c28..383e4db5b5e23 100644
|
||||||
|
--- a/extensions/libxt_tcp.c
|
||||||
|
+++ b/extensions/libxt_tcp.c
|
||||||
|
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
|
||||||
|
char *buffer;
|
||||||
|
char *cp;
|
||||||
|
|
||||||
|
- buffer = strdup(portstring);
|
||||||
|
+ buffer = xtables_strdup(portstring);
|
||||||
|
if ((cp = strchr(buffer, ':')) == NULL)
|
||||||
|
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
|
||||||
|
else {
|
||||||
|
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
|
||||||
|
char *ptr;
|
||||||
|
char *buffer;
|
||||||
|
|
||||||
|
- buffer = strdup(flags);
|
||||||
|
+ buffer = xtables_strdup(flags);
|
||||||
|
|
||||||
|
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||||
|
unsigned int i;
|
||||||
|
diff --git a/include/xtables.h b/include/xtables.h
|
||||||
|
index df1eaee326643..107ad7d65e6fc 100644
|
||||||
|
--- a/include/xtables.h
|
||||||
|
+++ b/include/xtables.h
|
||||||
|
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
|
||||||
|
extern void *xtables_calloc(size_t, size_t);
|
||||||
|
extern void *xtables_malloc(size_t);
|
||||||
|
extern void *xtables_realloc(void *, size_t);
|
||||||
|
+char *xtables_strdup(const char *);
|
||||||
|
|
||||||
|
extern int xtables_insmod(const char *, const char *, bool);
|
||||||
|
extern int xtables_load_ko(const char *, bool);
|
||||||
|
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
|
||||||
|
index 98d03dda98d2b..6cf059fb67292 100644
|
||||||
|
--- a/iptables/iptables-xml.c
|
||||||
|
+++ b/iptables/iptables-xml.c
|
||||||
|
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
|
||||||
|
"%s: line %u chain name invalid\n",
|
||||||
|
prog_name, line);
|
||||||
|
|
||||||
|
- chains[nextChain].chain = strdup(chain);
|
||||||
|
- chains[nextChain].policy = strdup(policy);
|
||||||
|
+ chains[nextChain].chain = xtables_strdup(chain);
|
||||||
|
+ chains[nextChain].policy = xtables_strdup(policy);
|
||||||
|
chains[nextChain].count = *ctr;
|
||||||
|
chains[nextChain].created = 0;
|
||||||
|
nextChain++;
|
||||||
|
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||||
|
index 6b6e6da40a826..7fd78654b280a 100644
|
||||||
|
--- a/iptables/nft-cache.c
|
||||||
|
+++ b/iptables/nft-cache.c
|
||||||
|
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
|
||||||
|
}
|
||||||
|
|
||||||
|
new = xtables_malloc(sizeof(*new));
|
||||||
|
- new->name = strdup(name);
|
||||||
|
+ new->name = xtables_strdup(name);
|
||||||
|
list_add_tail(&new->head, pos ? &pos->head : list);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (!req->table)
|
||||||
|
- req->table = strdup(cmd->table);
|
||||||
|
+ req->table = xtables_strdup(cmd->table);
|
||||||
|
else
|
||||||
|
assert(!strcmp(req->table, cmd->table));
|
||||||
|
|
||||||
|
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||||
|
index 9b0c964847615..8dccdd734b156 100644
|
||||||
|
--- a/iptables/nft-cmd.c
|
||||||
|
+++ b/iptables/nft-cmd.c
|
||||||
|
@@ -11,6 +11,7 @@
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <xtables.h>
|
||||||
|
#include "nft.h"
|
||||||
|
#include "nft-cmd.h"
|
||||||
|
|
||||||
|
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
cmd->command = command;
|
||||||
|
- cmd->table = strdup(table);
|
||||||
|
+ cmd->table = xtables_strdup(table);
|
||||||
|
if (chain)
|
||||||
|
- cmd->chain = strdup(chain);
|
||||||
|
+ cmd->chain = xtables_strdup(chain);
|
||||||
|
cmd->rulenum = rulenum;
|
||||||
|
cmd->verbose = verbose;
|
||||||
|
|
||||||
|
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||||
|
cmd->obj.rule = rule;
|
||||||
|
|
||||||
|
if (!state->target && strlen(state->jumpto) > 0)
|
||||||
|
- cmd->jumpto = strdup(state->jumpto);
|
||||||
|
+ cmd->jumpto = xtables_strdup(state->jumpto);
|
||||||
|
}
|
||||||
|
|
||||||
|
list_add_tail(&cmd->head, &h->cmd_list);
|
||||||
|
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
|
||||||
|
if (!cmd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- cmd->rename = strdup(newname);
|
||||||
|
+ cmd->rename = xtables_strdup(newname);
|
||||||
|
|
||||||
|
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
|
||||||
|
|
||||||
|
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
|
||||||
|
if (!cmd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- cmd->policy = strdup(policy);
|
||||||
|
+ cmd->policy = xtables_strdup(policy);
|
||||||
|
if (counters)
|
||||||
|
cmd->counters = *counters;
|
||||||
|
|
||||||
|
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
|
||||||
|
if (!cmd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- cmd->policy = strdup(policy);
|
||||||
|
+ cmd->policy = xtables_strdup(policy);
|
||||||
|
|
||||||
|
nft_cache_level_set(h, NFT_CL_RULES, cmd);
|
||||||
|
|
||||||
|
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||||
|
index 9a1f465a5a6d3..4027d9240215e 100644
|
||||||
|
--- a/iptables/xshared.c
|
||||||
|
+++ b/iptables/xshared.c
|
||||||
|
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
|
||||||
|
xtables_error(PARAMETER_PROBLEM,
|
||||||
|
"Trying to store NULL argument\n");
|
||||||
|
|
||||||
|
- store->argv[store->argc] = strdup(what);
|
||||||
|
+ store->argv[store->argc] = xtables_strdup(what);
|
||||||
|
store->argvattr[store->argc] = quoted;
|
||||||
|
store->argv[++store->argc] = NULL;
|
||||||
|
}
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||||
|
index 6947441fec659..1931e3896262a 100644
|
||||||
|
--- a/libxtables/xtables.c
|
||||||
|
+++ b/libxtables/xtables.c
|
||||||
|
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
|
||||||
|
return p;
|
||||||
|
}
|
||||||
|
|
||||||
|
+char *xtables_strdup(const char *s)
|
||||||
|
+{
|
||||||
|
+ char *dup = strdup(s);
|
||||||
|
+
|
||||||
|
+ if (!dup) {
|
||||||
|
+ perror("ip[6]tables: strdup failed");
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return dup;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static char *get_modprobe(void)
|
||||||
|
{
|
||||||
|
int procfile;
|
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||||
|
index 0dcdf607f4678..9d3ac5c8066cb 100644
|
||||||
|
--- a/libxtables/xtoptions.c
|
||||||
|
+++ b/libxtables/xtoptions.c
|
||||||
|
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
|
||||||
|
unsigned int maxiter;
|
||||||
|
int value;
|
||||||
|
|
||||||
|
- wp_arg = lo_arg = strdup(cb->arg);
|
||||||
|
- if (lo_arg == NULL)
|
||||||
|
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
|
||||||
|
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
|
||||||
|
|
||||||
|
maxiter = entry->size / esize;
|
||||||
|
if (maxiter == 0)
|
||||||
|
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||||
|
xtopt_parse_host(cb);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- work = strdup(orig_arg);
|
||||||
|
- if (work == NULL)
|
||||||
|
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
|
||||||
|
+ work = xtables_strdup(orig_arg);
|
||||||
|
p = strchr(work, '/'); /* by def this can't be NULL now */
|
||||||
|
*p++ = '\0';
|
||||||
|
/*
|
||||||
|
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
lmap_this->id = id;
|
||||||
|
- lmap_this->name = strdup(cur);
|
||||||
|
- if (lmap_this->name == NULL) {
|
||||||
|
- free(lmap_this);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
+ lmap_this->name = xtables_strdup(cur);
|
||||||
|
lmap_this->next = NULL;
|
||||||
|
|
||||||
|
if (lmap_prev != NULL)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 2 Jun 2021 15:15:37 +0200
|
||||||
|
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
|
||||||
|
strncpy()
|
||||||
|
|
||||||
|
If the target buffer does not need to be null-terminated, one may simply
|
||||||
|
use memcpy() and thereby avoid any compiler warnings.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
|
||||||
|
---
|
||||||
|
extensions/libxt_string.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
|
||||||
|
index 7c6366cbbf1b3..739a8e7fd66b6 100644
|
||||||
|
--- a/extensions/libxt_string.c
|
||||||
|
+++ b/extensions/libxt_string.c
|
||||||
|
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
|
||||||
|
{
|
||||||
|
/* xt_string does not need \0 at the end of the pattern */
|
||||||
|
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
|
||||||
|
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||||
|
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||||
|
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -5,12 +5,12 @@ ARPTABLES_CONFIG=/etc/sysconfig/arptables
|
|||||||
# compat for removed initscripts dependency
|
# compat for removed initscripts dependency
|
||||||
|
|
||||||
success() {
|
success() {
|
||||||
echo -n "[ OK ]"
|
echo "[ OK ]"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
failure() {
|
failure() {
|
||||||
echo -n "[FAILED]"
|
echo "[FAILED]"
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -21,31 +21,28 @@ start() {
|
|||||||
|
|
||||||
# don't do squat if we don't have the config file
|
# don't do squat if we don't have the config file
|
||||||
if [ -f $ARPTABLES_CONFIG ]; then
|
if [ -f $ARPTABLES_CONFIG ]; then
|
||||||
echo -n $"Applying arptables firewall rules: "
|
printf "Applying arptables firewall rules: "
|
||||||
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
|
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
|
||||||
success || \
|
success || \
|
||||||
failure
|
failure
|
||||||
echo
|
|
||||||
touch /var/lock/subsys/arptables
|
touch /var/lock/subsys/arptables
|
||||||
else
|
else
|
||||||
failure
|
failure
|
||||||
echo
|
echo "Configuration file /etc/sysconfig/arptables missing"
|
||||||
echo $"Configuration file /etc/sysconfig/arptables missing"
|
|
||||||
exit 6
|
exit 6
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
echo -n $"Removing user defined chains:"
|
printf "Removing user defined chains: "
|
||||||
arptables -X && success || failure
|
arptables -X && success || failure
|
||||||
echo -n $"Flushing all chains:"
|
printf "Flushing all chains: "
|
||||||
arptables -F && success || failure
|
arptables -F && success || failure
|
||||||
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
|
printf "Resetting built-in chains to the default ACCEPT policy: "
|
||||||
arptables -P INPUT ACCEPT && \
|
arptables -P INPUT ACCEPT && \
|
||||||
arptables -P OUTPUT ACCEPT && \
|
arptables -P OUTPUT ACCEPT && \
|
||||||
success || \
|
success || \
|
||||||
failure
|
failure
|
||||||
echo
|
|
||||||
rm -f /var/lock/subsys/arptables
|
rm -f /var/lock/subsys/arptables
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,7 +23,6 @@ VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
|
|||||||
|
|
||||||
# ebtables-config defaults
|
# ebtables-config defaults
|
||||||
EBTABLES_SAVE_ON_STOP="no"
|
EBTABLES_SAVE_ON_STOP="no"
|
||||||
EBTABLES_SAVE_ON_RESTART="no"
|
|
||||||
EBTABLES_SAVE_COUNTER="no"
|
EBTABLES_SAVE_COUNTER="no"
|
||||||
|
|
||||||
# load config if existing
|
# load config if existing
|
||||||
@ -49,7 +48,7 @@ sanitize_dump() {
|
|||||||
local table="${line#\*}"
|
local table="${line#\*}"
|
||||||
local found=false
|
local found=false
|
||||||
for t in $EBTABLES_TABLES; do
|
for t in $EBTABLES_TABLES; do
|
||||||
if [[ $t == $table ]]; then
|
if [[ $t == "$table" ]]; then
|
||||||
found=true
|
found=true
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
@ -11,7 +11,7 @@ Name: iptables
|
|||||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||||
URL: https://www.netfilter.org/projects/iptables
|
URL: https://www.netfilter.org/projects/iptables
|
||||||
Version: 1.8.7
|
Version: 1.8.7
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
@ -28,6 +28,15 @@ Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
|
|||||||
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
|
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
|
||||||
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
|
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
|
||||||
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
|
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
|
||||||
|
Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
|
||||||
|
Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch
|
||||||
|
Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
|
||||||
|
Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
|
||||||
|
Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
|
||||||
|
Patch10: 0010-iptables-apply-Drop-unused-variable.patch
|
||||||
|
Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
|
||||||
|
Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
|
||||||
|
Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic 2.0
|
# iptables-apply: Artistic 2.0
|
||||||
@ -423,6 +432,19 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12
|
||||||
|
- arptables-nft-helper: Remove bashisms
|
||||||
|
- ebtables-helper: Drop unused variable, add a missing quote
|
||||||
|
- extensions: libxt_string: Avoid buffer size warning for strncpy()
|
||||||
|
- libxtables: Introduce xtables_strdup() and use it everywhere
|
||||||
|
- extensions: libebt_ip6: Use xtables_ip6parse_any()
|
||||||
|
- iptables-apply: Drop unused variable
|
||||||
|
- nft: Avoid buffer size warnings copying iface names
|
||||||
|
- nft: Avoid memleak in error path of nft_cmd_new()
|
||||||
|
- libxtables: Fix memleak in xtopt_parse_hostmask()
|
||||||
|
- extensions: libebt_ip6: Drop unused variables
|
||||||
|
- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
|
||||||
|
|
||||||
* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
|
* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
|
||||||
- Fix License name in spec file
|
- Fix License name in spec file
|
||||||
- Eliminate inet_aton() and inet_ntoa()
|
- Eliminate inet_aton() and inet_ntoa()
|
||||||
|
Loading…
Reference in New Issue
Block a user